For the first time in the year, we have met to discuss one of the hottest topics currently in cybersecurity: The disclosure of vulnerabilities in Industrial Control Systems. Every day, more sectors (logistics, transportation, water, among others) are present in The Voice of the Industry events.
The main conclusions and findings of the S4, SCADA Security Symposium that was held In Miami from January 14 – 17, 2014 have been presented. There was a articularly interesting speech by the researcher and discoverer of Stuxnet, alongside a varied group of other speakers ranging from an end user (in the case of a mining company), the experiences of a smaller company that’s using open source solutions, as well as the importance of a thorough protection the development of industrial applications through a secure code, that even includes those that were developed using open source software.
Other significant facts were the new requirements for Proxy machines imposed by the Government of the United States, and the introduction of the Robus project, that will be used to analyze the vulnerabilities of the implementation of the industrial protocol DNP3, and all of the implementations turned out to be vulnerable, with the sole exception of two of them.
The S4 event reached the following conclusions:
1. Approximation of IT to industrial environments, whereby special attention is given to virtualization and monitoring tasks.
2. Adaptation and specific developments.
3. The most critical points must be solved and priorities must be established.
4. Implementation of industrial protocols
5. A discussion of the extent in which we need to publish vulnerabilities.
Pedro Pablo Pérez, gave an interesting presentation of the Digital Surveillance 24×7 services offered by Telefónica and the present situation of the Data Centres. He made all the attendees aware of the fact that the “Happy Days” in terms of security were over when those centres gave way to others resulting in the concept of “Endless Data Centres”, i.e. data centres with no established boundaries that cover their employees, clients and, all too often; suppliers.
One of the most disturbing aspects that has to be taken into account is that of the “Insiders”, that means people on the inside of the organization, who for one reason or the other decide to attack it, and that can cause situations where the level of service goes down, or it may lead to the leakage of corporate information.
With this situation being as it is, Telefónica decides to reinforce its security strategy by buying up specialised companies and hiring experts in this field to be prepared for what appears to be the “perfect storm” that Cyber Security is facing:
• Performing equally well with less resources
• Comply with mandatory and legislative aspects.
Telefónica has founded a number of laboratories dedicated to the prevention, detection and response of those threats.
Elyoenai Egozcue and Daniel Herreras presented the S21Sec approximation to identify vulnerabilities without losing track of the context in which it is active. Therefore, they think it’s fundamental that we take into account vulnerabilities regarding design, development and configuration.
From the different types of vulnerabilities that S21 Sec analyzes, various aspects are taken into account: vulnerabilities of the network, platform and procedure, an element we can not afford to neglect.
They explained that the most common network vulnerabilities are: lack of control over the flow of information, faulty configuration of the network, a bad definition of its perimeter, as well as the use of insecure protocols.
Marc Sarrias from Palo Alto Networks presented the challenges that must be overcome in a security management of the network in industrial environments and he explained how the technology developed by Palo Alto Networks can help us move towards this end. .
The most common challenges, Marc Sarrias explained, have been: The convergence of the IT/OT systems, the necessity of a segmentation of the network and the problems caused when information is generated. He also observed that in these environments there are also numerous problems related to the user’s identification, like the use of generic users, the integration of the systems in various repositories, the lack of information about usage and privileges, as well as a lack of traceability.
Jorge Hormigos from Trend Micro started his presentation by describing some of the most recent attacks, like for instance an attack on a petrochemical in 2013 that left that company without service for eight hours. Furthermore, according to data supplied by United States’ CERT’s/ICS, the number of incidents has gone up from 41 reported incidents in 2010 to 214 en 2013.
For an adequate protection of the industrial environments special attention must be paid to characteristics like the diversity of the technologies that have to be faced and the delay in the publication of the vulnerabilities.
Trend Micro provides a number of solutions for the protection of industrial environments such as: Deep Security, Safe Lock, Portable Security, Deep Discovery and USB Security.
The final act of the day was a Round Table Debate, this is the way that events hosted by “The Voice of Industry” are traditionally ended, on this occasion the theme of the debate was the publication of the vulnerabilities of industrial systems, a theme that was very well received by manufacturers the likes of Siemens, represented by Juan Carlos Pozas and Logitek, represented by Fernando Sevillano , and also the Cyber Security researcher Rubén Santamarta from IOActive and the contribution of Samuel Linares, Director of the Centre.
The starting point of the debate was the result of the question that was posed during the registration process: How do you feel about the publication of vulnerabilities?”
The answers given by the attendees were as follows:
• 52% in favour of a partial disclosure
• 45% in favour of a complete disclosure
• 3% against any form of publication
Considering the above data, the following questions were posed:
How must the vulnerabilities be published?
Juan Carlos Pozas (Siemenes): Agrees with a controlled publication via newsletters or alerts, seeing as the customers are looking for a relation regarding a certain event.
Fernando Sevillano (Logitek): Is in favour of “reveal equitably”. In IT environments publishing vulnerabilities is a common practice and those usually affect both manufacturer and user. Furthermore, the publication and study of the way they were resolved helps to create a methodology.
Rubén Santamarta (IOACTIVE): Believes there’s a difference between “ethical publication” and “real publication”. The prescribed process is to contact the manufacturer through CERT, although it’s not always done this way, because the manufacturer doesn’t respond. On the other hand, the researchers must publish their work for them still to be considered as such.
Samuel Linares (CCI): Agrees with the obligation to publish incidents, whereby CERT acts as mediator, and there’s a special emphasis on critical installations. Furthermore, Samuel suggests making a public list of vulnerabilities that have been detected, and he suggests doing so within a reasonable period of time that gives a manufacturer time to react. He thinks it’s very important to establish a clear process of publication.
Must there be a legal liability once the vulnerabilities are published?
Juan Carlos Pozas (Siemens): There already exists a lifelong responsibility for the equipment that must be safeguarded. Furthermore, the vulnerabilities have a great impact on the reputation of the manufacturer seeing as the market is self-regulating. And if there’s responsibility linked to functionalities of the device, wouldn’t if be fraud not to publish them?
Fernando Sevillano (Logitek): It depends on the nature of the incident and the equipment. When a vulnerability of a manufacturer is discovered and he takes no steps to try and solve the problem, he’ll see that that will have a negative effect on his business.
Rubén Santamarta (IOACTIVE): There already is a way to establish this responsibility. It depends on how critical they are.
Samuel Linares (CCI): It’s important to differentiate between the sanctions process and the implicit responsibility. Just like other products on the market, like for instance the parts of a car, these must posses a number of specifications, and a necessary process for its substitution.
What way should the vulnerabilities be published?
Juan Carlos Pozas (Siemens): The affected system is compromised and must be analysed to know its effects whereby the most critical points must be identified. There’s a lack of maturity en the actual publication process. A minimum level of compromise between the vulnerability and the solution must be reached.
Fernando Sevillano (Logitek): Priorities must be set by way of a quantitative analysis of the risk, and there must be a continuous awareness of what there is that can help to create a protection culture. It’s important to prioritize with regards to both the effects and the actions.
Samuel Linares (CCI): They must be published taking into account the industrial organizations, the states and manufacturers. They must be financed by the three parties and something must be done the raise the awareness of the citizens.
Rubén Santamarta (IOACTIVE): The affected must be published taking into account the different environments. Furthermore, seeing as the protection of critical infrastructures is in the public interest, the States themselves must contribute to the publication thereof. Cyber security requires a far bigger effort.
Juan Carlos Pozas (Siemens): We the manufacturers are the first to ask that our product is submitted to all criteria and evaluations
Public participation: What is the role of the user with regard to a mandatory external audit?
Fernando Sevillano (Logitek): There have been taken steps to make sure that the same way there exist certain requirements for the user, the same apply to the manufacturer. In the software factories secure development methods are used, that incorporate techniques that will reduce the vulnerabilities. However, as of yet there is no (and it’s necessary) demand for certification.
Rubén Santamarta: There already are real experiences but we must improve the industrial protocols and keep the attacker far away from the control network. Once the attacker reaches this control network they only thing that can be done is to protect oneself.
Samuel Linares (CCI): Faced with the evidence of the attacks that are made, risk analysis don’t seem to be very useful. The true problem lies in “layers 8 and 9” i.e. the top management and directors. The only way to a solution is through knowledge, training and procedure.